From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx Date: Sun, 12 Apr 2026 14:10:53 +1000 Message-ID: In-Reply-To: <20260407-adreno-fix-ubwc-v2-1-7ff73624635e@oss.qualcomm.com> References: <20260407-adreno-fix-ubwc-v2-1-7ff73624635e@oss.qualcomm.com> <20260407-adreno-fix-ubwc-v2-1-7ff73624635e@oss.qualcomm.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Patch Review **Correctness:** The fix is correct. The `ubwc_config` pointer in `struct adreno_gpu` (defined in `adreno_gpu.h:243`) is only initialized for a5xx+ GPUs. The a5xx and a6xx init paths call `qcom_ubwc_config_get_data()` and set `adreno_gpu->ubwc_config = &adreno_gpu->_ubwc_config`, but a2xx, a3xx, and a4xx init functions never touch this field, leaving it as NULL from the kzalloc'd struct. **Completeness:** All three UBWC-related param cases in `adreno_get_param()` are guarded: ```c case MSM_PARAM_HIGHEST_BANK_BIT: if (!adreno_gpu->ubwc_config) return -ENOENT; *value = adreno_gpu->ubwc_config->highest_bank_bit; return 0; ... case MSM_PARAM_UBWC_SWIZZLE: if (!adreno_gpu->ubwc_config) return -ENOENT; *value = adreno_gpu->ubwc_config->ubwc_swizzle; return 0; case MSM_PARAM_MACROTILE_MODE: if (!adreno_gpu->ubwc_config) return -ENOENT; *value = adreno_gpu->ubwc_config->macrotile_mode; return 0; ``` This covers every dereference of `ubwc_config` in this function. No dereference sites are missed. **Error code choice:** `-ENOENT` is a reasonable return value, semantically conveying "this parameter does not exist on this hardware." The `MSM_PARAM_RAYTRACING` case between the first two guarded cases already follows a similar pattern of returning a property that may not be meaningful on all generations, though it returns 0 with `has_ray_tracing` being false. The difference is that `has_ray_tracing` is a direct struct member (always valid), while `ubwc_config` is a pointer that may be NULL, so a distinct error return makes sense here. **Observation (not a blocker):** The agent's exploration revealed that `ubwc_config` is also dereferenced without NULL checks in the hardware init paths: `a5xx_hw_init()` (line ~838, with a `BUG_ON`), `a6xx_set_ubwc_config()` (line ~815), and `a8xx_set_ubwc_config()` (line ~277). However, these code paths are only reached for GPU generations that do initialize `ubwc_config`, so they are not vulnerable to the same NULL dereference. The scoping of this fix to `adreno_get_param()` is correct since that is the function reachable from any GPU generation via the common userspace ioctl path. **Commit message:** Clear, explains the root cause and fix. The `Fixes:` tag correctly references the commit that introduced the regression. **No issues found.** Patch is ready to merge. Reviewed-by: Dave Airlie --- Generated by Claude Code Patch Reviewer